Sanctioned Country Traffic Blocked by Auth0

Problem statements & solutions

The U.S. Government has determined that there are certain countries and regions that will have export control restrictions, and as such, Auth0 and Okta will have to block access to all requests coming from those regions.

Who is Auth0 blocking from accessing the Auth0 Service?

We are blocking all Users, including administrator Users and all end Users of Customers, from logging in to Auth0 Platform, from certain regions, to strengthen our customers’ and Auth0’s existing, contractual responsibilities to remain in compliance with certain U.S. export control restrictions.

Why are we blocking Users from access to Auth0 Service?

In support of our customers’ and Auth0’s existing contractual obligations with respect to U.S. export control laws, Auth0 customers are not permitted to access the Auth0 Platform from Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk without prior approval from the U.S. Government. This restriction applies even if a User is temporarily visiting any of the aforementioned regions.

When are we blocking Users from access to Okta Service, including the Auth0 Platform?

Okta will be disabling the ability for any Users to access the Auth0 Platform from the aforementioned regions starting on October 17, 2022.

Will Auth0 deny any access request from these regions or will it disable the user/s who will be accessing from these regions?

We will deny access requests from these regions. If you are using a custom domain users will not see an error - they’ll simply be unable to connect.

Why are we taking technical measures now to block Users from access to Okta Service, including the Auth0 Platform?

Customers are responsible for ensuring compliance with applicable laws. We are taking this action to strengthen our customers’ and Auth0 and Okta’s existing, contractual responsibilities to remain in compliance with certain U.S. export control restrictions.

What is OFAC?

The Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States. OFAC Controls apply whenever economic trade and sanctions are in place. To learn more about these laws, visit: U.S. Department of Commerce’s Bureau of Industry and Security and U.S. Treasury Department’s Office of Foreign Assets Control.

Can Okta/Auth0 handle these OFAC controls for me?

As a Customer, you are responsible for ensuring your own compliance with applicable laws. As outlined in the Okta Master Subscription Agreement, you must use the Okta Service in compliance with applicable laws. You are responsible for choosing your own Okta or Auth0 regions for deploying your tenant and ensuring that your configuration meets relevant requirements. Okta does not inspect, approve, or monitor the tenants or applications you deploy on the Okta Service (including the Auth0 Platform).

What diligence does Okta/Auth0 conduct?

For Customer purchases, Okta conducts diligence to prevent certain purchases from organizations located within OFAC-embargoed countries. However, it is your responsibility to prevent access to your application and transactions by involving your applications deployed on the Okta Service (including the Auth0 Platform). Okta does not block network traffic to your website. Even though OFAC explains that companies can restrict access based on IP table range, it does not necessarily address all compliance risks. Okta has no responsibility for and does not have the ability to know directly the end users that interact with your applications using the Okta Service (including the Auth0 Platform).

What if I have a User or Users that are traveling to these regions? How can I ensure that they continue to have access to Okta, Auth0, and related applications?

We have an exemption process to allow for those Users to maintain access to their Okta managed org or Auth0 tenant, if such access is authorized pursuant to a license from OFAC.

What is the process to receive an exemption if I am legally permitted and subscribe to the Okta Service?

Customers can receive a temporary exemption by contacting us at CSEvents@okta.com. You will be required to complete a questionnaire to identify whether you are eligible to access the Okta Service from an embargoed territory. Please allow up to five business days for your request to be completed.

What is the process to receive an exemption if I am legally permitted and subscribe to the Auth0 Platform?

Customers can receive a temporary exemption by contacting us at SanctionsExemptions@auth0.com. You will be required to complete a questionnaire to identify whether you are eligible to access the Auth0 Platform from an embargoed territory. Please allow up to five business days for your request to be completed.

What are some examples of valid exemption requests?

A valid exemption request will only be granted for those entities that have a license from OFAC to engage in a transaction that otherwise would be prohibited. Customers must make sure that all transactions pursuant to general or specific licenses must strictly observe all conditions of the licenses and in compliance with applicable laws.

What is the expected turnaround time needed to grant access?

Customers should expect the processing of the request to take up to five business days from the time they submit their exemption request questionnaire. The exemption request form can be obtained by Auth0 customers at SanctionsExemptions@auth0.com.

Can I apply for an extension if needed, after an exemption request has been approved? If so, how long will the extension be?

If you need an extension, you will need to specify the timeline and length in your request based on any exemption permitted to you under OFAC.

I am a user / or a user is not actually located in a region, but the IP address is showing as such. How do I rectify?

Auth0 Customers
You can use the Maxmind tool and make sure that Maxmind shows the correct Country Code. If the data is incorrect, please submit correction requests through Maxmind here.

I have a special case permitted under United States law and by OFAC; what should I do and how long can I be granted an exemption?

You will be required to complete a questionnaire to identify whether you are eligible to access Okta applications from an embargoed territory and you can submit documentation verifying your OFAC specific license. You must request a specific time period to apply to your exemption. The exemption is only temporary.

Auth0 Customers Seeking Exemption
Customers can receive a temporary exemption by contacting us at SanctionsExemptions@auth0.com.

In addition to Okta’s automatic blocking, what other features does Okta offer to help me block IP ranges for the Auth0 Platform?
The Auth0 Platform

The Auth0 Platform also makes available features for you to:

  • Choose your Deployment Regions. When you create a tenant with Auth0, you are able to select the region of where you want to store data in Auth0. For example, you may choose to store your data in the United States or other region of choice.

  • Country-based Access control. Auth0 allows you to enable country-based access through the Auth0 Platform through a no-code actions integration or through writing it yourself. This feature further allows you to block specific users based on their IP address. For additional information, click here.

Does Okta/Auth0 have a documented OFAC list of countries?

No, Okta/Auth0 does not maintain that. You can refer to the US Department of Treasury page for more details on the Office of Foreign Assets and Control Sanctions Program: Home | Office of Foreign Assets Control